1

I know this question has been asked several times but I am still struggling and fail to comprehend the answers provided already.

I have a side bar with a category "abc". On clicking a pop up div loads asking the user to login or register. Once the user logs in it loads the page "xyz.php" through ajax:

{
var dataString1 = 'emaillogin=' + emaillogin + '&submitted=1';
$.ajax({  
type: "POST",  
url: "xyz-login.php",  
data: dataString1,
beforeSend: function() 
{
//Show loading image
},  
success: function(response)
{
//Check to see if the message is sent or not
window.location='http://www.123.com/xyz.php';
$("#emaillogin").val('Email');
}
});
}

Hence on success I load the URL. However, I want to prevent users from directly accessing the URL which would make them bypass login. How do I prevent this? Do I block this inside the ajax call?Should I add it to the xyz.php page and check there whether XmlHttpRequest is in the header of the request. Can somebody explain how and where does can the check be applied to?

Sarah
  • 1,895
  • 2
  • 21
  • 39
  • If you want to stop someone accessing a resource if they aren't logged in, then *test for that*, don't test to see if it is Ajax! – Quentin Dec 07 '14 at 12:31
  • I disagree with the duplicate flag, as the highest voted answer, isn't really a secure answer, and this question has a much better alternative solution using PHP session variables – Adi Bradfield Dec 07 '14 at 12:34
  • @Quentin like I said, this has been asked earlier but I couldnt comprehend and so was waiting for an "explained" answer rather than just a solution – Sarah Dec 07 '14 at 12:58
  • @Sarah — The accepted answer does explain it. If there is something about it you don't understand then try asking a more specific question about the part you have trouble with, and link to the earlier question for context. – Quentin Dec 07 '14 at 13:00
  • @AdiBradfield — I think the question would be need to be rewritten to focus on the real problem before it should be reopened (but then the answer would probably be "The same way you use for all your other pages that need auth" so it would just get closed again). – Quentin Dec 07 '14 at 13:01

0 Answers0